More than ever, cyber criminals continue to target people with social engineering efforts with the end goal of siphoning sensitive information, whether it be financial details, confidential corporate data or personal information. While a large focus of this activity is focused on employees within organisations across all industries, the education sector is increasingly a target for criminals.
With a record number of students now attending university in the UK, cyber criminals have a vast opportunity to target this industry, capitalising on the increased communication between students, teachers and third-party suppliers. As in many other industries, attacks on universities are often successful because people, not technology, are targeted. Because it can be almost impossible for an unsuspecting student or staff member to identify a fraudulent email from a real one, most UK CISOs consider human error to be an organisation’s biggest cyber vulnerability.
We have seen many examples of UK universities being targeted in recent years. For example, the recent attack on Sunderland University proves that despite increased awareness around cyber protection and cyber threat scenarios, data breaches can still occur and heavily disrupt daily activity – and no industry is an exception.
That recent breach provides a perfect cautionary tale for other educational institutions, as the attack left staff and students unable to access emails, remote learning systems and telephone lines. The unique issue is that universities are a popular target because of the wealth of data they hold and the many possible breach points.
Many universities, like Sunderland, are also research institutes, so they want to keep access to data and information as open as possible, which can be perilous in a cyber attack. However, although the problem is complex, the solution to best mitigate these threats can be more straightforward.
Your email can be your weakness
The education sector’s open and outward nature, enabling collaboration between academics worldwide, means cyber criminals do not need to look very hard to find the resources to exploit and impersonate their target. Cyber criminals extensively use the method of domain spoofing to pose as well-known organisations by sending an email from a supposedly legitimate sender. These emails act as the bait to ascertain the necessary data to conduct successful attacks, where a well-tailored email results in a member of staff or student being tricked into checking a malicious email.
To mitigate this, organisations need to deploy authentication protocols such as Domain-based Message Authentication Reporting and Conformance (DMARC), to shore up their email fraud defence. Acting as an open email authentication protocol that provides domain-level protection of the email channel, DMARC authentication detects and prevents email spoofing techniques used in phishing, business email compromise (BEC) and other email-based attacks.
DMARC is the first and only widely deployed technology that can ensure sent emails are coming from a trustworthy domain. By implementing the strictest level of DMARC – which fully rejects any email that is deemed to be coming from a spoofed domain – universities can actively block fraudulent emails from reaching their intended targets, protecting their students, staff and partners from cyber criminals seeking to impersonate their brand.
UK universities need to protect themselves
Unfortunately, according to the recent University DMARC research carried out by Proofpoint, only 15% of UK universities have implemented the recommended and strictest level of DMARC protection (reject), which blocks fraudulent emails from reaching their intended targets, which means 85% of UK universities are leaving students and staff open to email fraud that could lead to a crippling cyber attack.
Encouragingly, more than two-thirds of universities have taken initial steps to protect their students and staff from email fraud, with 70% publishing some level of DMARC record. However, much more needs to be done to actively protect email users from attackers impersonating these universities.
Education institutions hold masses of sensitive data on individuals, so cyber criminals could get instant access to personal information such as name, address, payment details, ID, or health records. Therefore, as well as the necessary DMARC protection, all users must be advised to use strong, unique passwords, possibly with a multi-factor authentication if possible.
Quite often, attackers create “lookalike” sites imitating familiar brands and institutions, so students and staff should always check the link they click for authenticity, as well as dodge potential phishing and smishing attacks.
Time for cyber edification
While DMARC protocol implementation is an essential first step for any institution, organisations also need to simultaneously raise awareness around user security training, because people are the most critical variable in a successful cyber attack.
Unfortunately, most users do not understand the role they play in protecting their organisation against cyber threats, so education bodies must improve cyber awareness by providing training frequently, turning annual security training into shorter training sessions hosted monthly or quarterly. Contrary to popular belief, the younger generation is often more relaxed towards cyber security than their older counterparts, with weak passwords and the reuse of credentials rife among students, which means security awareness training must be a priority for newly enrolled students.
A consistent effort from staff and students is required to shore up security hygiene. The more each user understands about the threats they face, the methods implemented by criminals, and how their own behaviour can be the difference between a secure or breached system, the better they are equipped to protect their organisation from harm.
Cyber criminals pay close attention to major trends and will drive targeted attacks using social engineering techniques, so it is important for staff and students to be aware of new, emerging threats before an attack happens. The education sector simply must deploy authentication protocols, such as DMARC, to shore up its email fraud defences while providing security training for students and staff.
As people are the first line of defence, universities need to educatie those using their network on how a single click can be the open door a cyber criminal is waiting to walk through.
Adenike Cosgrove is cyber security strategist at Proofpoint’s international business